Irish regulators on Wednesday hit Facebook parent Meta with hundreds of millions in fines for online privacy violations and banned the company from forcing European users to agree to personalized ads based on their online activity.
Ireland’s Data Protection Commission imposed two fines totaling 390 million euros ($414 million) in its decision in two cases that could shake up Meta’s business model targeting users with ads based on what they do online.
The watchdog fined Meta 210 million euros for violations of the European Union’s strict data privacy rules involving Facebook and an additional 180 million euros for breaches involving Instagram.
It’s the commission’s latest punishment for Meta for data privacy infringements, following four other fines for the company since 2021 that total more than 900 million euros.
The decision stems from complaints filed in May 2018 when the 27-nation EU’s privacy rules, known as the General Data Protection Regulation, or GDPR, took effect.
Previously, Meta relied on getting informed consent from users to process their personal data to serve them personalized, or behavioral, ads. When GDPR came into force, the company changed the legal basis under which it processes user data by adding a clause to the terms of service for advertisements, effectively forcing users to agree that their data could be used. That violates EU privacy rules.
The Irish watchdog initially sided with Meta but changed its position after the draft decision was sent to a board of EU data protection regulators, many of whom objected.
In its final decision, the Irish watchdog said Meta “is not entitled to rely on the ‘contract’ legal basis to deliver behavioral adverts on Facebook and Instagram.”
Meta said in a statement that “we strongly believe our approach respects GDPR, and we’re therefore disappointed by these decisions and intend to appeal both the substance of the rulings and the fines.”
The Irish watchdog is Meta’s lead European data privacy regulator because its regional headquarters is in Dublin.